March 2012

Mar 29, 2012

According to Richard Clarke, government lawyers play such a large role in designing American covert cyber operations that by the time the lawyers are done messing with them, they're anything but covert:

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked.

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

The last time I wrote about the restrictions that US government lawyers are piling on cyberweapons, I asked, "Lawyers don't win wars. But can they lose one?" Clarke's observation, however, suggests another problem.

If other nations decide that they can attribute attacks to the United States because our legal culture leaves such distinct fingerprints on our covert weapons, maybe the better question is whether American government lawyers will be responsible for causing the next war.

Mar 25, 2012

I testified a few days ago at a House Judiciary subcommittee hearing on REAL ID implementation. I expected to have harsh things to say about the way REAL ID has been handled by the National Governors Association and the Obama administration. And there was certainly plenty to criticize. But what surprised me after a few years away from the issue is how much progress has been made, almost reluctantly, by all parties. Much more secure identification is now within reach, though politics may delay the final steps much too long. Here’s some of what I told the subcommittee:

Unfortunately, not everyone agrees with the need for better drivers’ license security. Opposition to REAL ID unites the nations' governors and the ACLU. As a candidate, President Obama campaigned against REAL ID. And as a governor, Secretary Napolitano did the same. So it was no surprise that the Obama administration supported repeal of REAL ID and adoption of a softer approach, called PASS ID. Expecting PASS ID to be adopted, the administration soft-pedaled the states’ obligations under REAL ID.

But PASS ID did not pass, and REAL ID is still the law. Unfortunately, however, it's not being treated like a real law. In 2009, the Secretary of Homeland Security permanently stayed the deadline for states to come into material compliance, on the grounds that the Department was pursuing PASS ID. By March 2011, with the deadline for full compliance with REAL ID just two months away, that reasoning wouldn't work anymore; everyone recognized that PASS ID was dead. But the Secretary nonetheless postponed the deadline for full compliance to January 2013 without taking comments. The remarkable justification for the delay was that the administration had encouraged the states to hope that the law would change, so they didn’t take steps to comply with the law as it stands:

…

I only wish I could get an extension on my tax return by saying I was hoping the law would change before the returns were due but that I'm now ready to “refocus on achieving compliance” with the requirements of the tax code.

In fact, apart from hoping that the states will refocus, the Department does not seem to be doing much to encourage them to meet the new deadline. As far as I can see, it hasn’t audited state compliance; it hasn’t processed the submissions of states that want to certify their compliance with REAL ID; and it hasn’t pressed the states that are lagging far behind to step up their efforts.

…

[D]espite all the public outcry and political posturing, most motor vehicle departments are making good progress toward the goals set out in the REAL ID act. Janice Kephart of the Center for Immigration Studies has done invaluable work in surveying the states’ progress toward achieving compliance with the standards set by REAL ID. Her most recent study estimates that nine states are on track to achieve full compliance with all REAL ID requirements by January 2013, and that another 27 will have achieved material compliance with the act by then. That means that the great majority of states can meet the deadline, at least for material compliance, if they simply keep on doing what they have been doing.

In saying that I do not mean to overlook the distinction between material compliance and full compliance. The principal difference is that states can achieve material compliance without having in place an electronic verification system for birth certificates. To achieve full compliance, they must check birth certificates with the issuing jurisdiction.

Now, as you might guess from my early remarks, I think that checking birth certificates is crucial to achieving a more secure license system. Birth certificates are much easier to forge and much harder to check than licenses, so it’s no wonder that everyone from aspiring terrorists to cop-killing car thieves views a forged birth certificate as the key to building a fake identity.

And so, having an electronic system for checking birth certificates is crucial. It too should be in place as soon as possible.

…

Once again, there is good news on this front in the Kephart report, which says that by February of this year, 37 states had already entered their birth records into a system that allows other agencies to conduct verification online. This system, called Electronic Verification of Vital Events (or EVVE), is administered by the National Association for Public Health Statistics and Information Systems (or NAPHSIS). The network is still growing; NAPHSIS tells me that they’ve added another state since February; EVVE now covers 38 states. And the system isn’t just theoretically available. It’s actually being used on a daily basis by several US government agencies, such as the State Department’s passport fraud investigators, the Office of Personnel Management, and the Social Security Administration.

The really good news, then, is that there are no technical barriers to nearly immediate implementation of electronic birth certificate checks. Any state that can achieve material compliance by 2013 can also achieve the most important element of full compliance by that date; it just has to hook up its DMV to EVVE. In short, nearly 40 jurisdictions are on track to do what the 9/11 Commission recently urged them to do: implement drivers’ license security without delay.

The rest of the testimony is here. The hearing itself was remarkable in several respects. There was much less heat than I expected. Chairman Sensenbrenner, author of REAL ID, seemed pleased with the progress to date and disinclined to beat up the Administration. The Administration’s witness (my successor at DHS Policy, David Heyman) said there were no plans to extend the January 2013 deadline for full compliance. The governors’ witness was less hostile to REAL ID than in the past. The privacy groups were not much in evidence, and their arguments about the dangers of a giant database were undercut by the fact that four of the five data-sharing networks needed to implement REAL ID are already in operation, with George Orwell nowhere in sight. The lesson for government officials is that, despite enormous friction and resistance, things that ought to get done in Washington do get done, eventually. We aren’t quite done with REAL ID implementation, but if this were World War II, we’d be somewhere between D-Day and the Battle of the Bulge.